Community advisory boards have been set up in several industries with the aim of building a cultural environment that focuses on efforts to improve the quality of strategies, actions, and knowledge by providing a forum for experts to discuss current scenarios within the industry.
I recently had the opportunity to speak with Garry Bergin, Commercial Director and Security Consultant at Manguard Plus, to discuss the importance of the global advisory board community; Board roles and C-levels; and security and compliance programs.
Global Advisory Council Community
VigiTrust’s Global Advisory Board comprises a group of leading security and compliance experts from more than 30 countries including C-level executives, board members, regulators, law enforcement, researchers, other stakeholders and influencers in the security industry.
Gary Bergin believes that the Global Advisory Board helps bring society and knowledge together in one place. According to Gary, “Nobody knows everything, but if you put like-minded professionals in a room, you know a lot more.”
e-Accountability, Board of Directors and Level C
The principle of accountability requires organizations to take responsibility for what they do with data or information, and to abide by the principles of GDPR compliance. However, organizations must have appropriate measures and records in place to demonstrate compliance.
Gary explains that โAccountability at the board level is critical and it is not After the horse withdrew. Applicable regulations such as GDPR, PCI DSS, ISO 27001 and NIST are in place to support this.โ
In Gary’s view, boards and C levels should work on the following main themes:
- To try to achieve a formal standard in regulating cybersecurity (eg, ISO 27001) for their organization.
- Identify the removable media within the organization and the โmeansโ component of the fraud triangle (means, motive, and opportunity).
- You have strict, non-negotiable policies on passwords and authentication.
- Enjoy good encryption and policies regarding mobile devices and laptops as more people are now working remotely.
- Building a cohesive and collaborative communication between the physical security team, the IT security team and the human resource department.
Garry also advises that if a CSO or CISO is trying to persuade a CEO or board of directors to obtain additional funding for their cyber program, they should use quantitative information rather than qualitative opinions. For example, if you tell the CEO that the company is at risk from criminal hackers, you will likely be ignored. However, if you can, tell the CEO things like:
- There have been 3000 phishing attempts on our system in the past two months
- There have been 1,000 attempts to gain access to our system and confidential files
- Any potential breach may cause us to be out of business for 5 days
- The cost of any breach could cost us $450,000
- If we have a breach, we may lose 10% of our customers due to damage to our reputation.
If you use the available data, you might catch their attention!
Security and compliance programs
Ongoing compliance programs are a necessity for all organizations. Without the regular audit that comes with the compliance component, organizations tend to feel complacent and shift their focus and resources elsewhere within the organization.
For Gary, compliance programs should be a professional requirement for all stakeholders, not only in the cybersecurity sector, but in all areas of security and risk. Continuing Professional Development (CPD) should be part of every security professional’s personal development plan from an HR perspective.
“โThe security industry is moving so fast that it is very easy for people who do not take their profession seriously to be left behind,โ says Gary. “So it should be mandatory for all security professionals.”
technical solutions
In terms of technical solutions, Gary stated that they will continue to dominate all sectors of security and risk, especially the field of artificial intelligence (AI), but that there will always be a need for โshoes on the groundโ to manage these functions.
The same is true for intelligence-led risk modeling. These systems are only as good as the data entered, but if the data is inaccurate or corrupt, these systems become unreliable or even inoperable.
Finally, in providing an overview of the current cybersecurity landscape, Gary noted that the industry puts a lot of effort, time, and funding into protecting against network vulnerabilities, operating system vulnerabilities, and process vulnerabilities, but not much effort in humans. The element of vulnerability, particularly the threat from within.
For him, โit remains to tick the box that effectively exposes business operations to unimaginable risks, which is really scary.โ
